Undercover Tests Show Passport Issuance Process Remains Vulnerable to Fraud
GAO-10-922T, Jul 29, 2010
A U.S. passport is one of the most sought after travel documents in the world, allowing its holder entrance into the United States and many other countries. People attempting to obtain a U.S. passport illegally often seek to use the guise of a U.S. citizen to conceal their involvement with more serious crimes, such as terrorism, drug trafficking, money laundering, or murder. In March 2009, GAO reported on weaknesses in State's passport issuance process that could allow a terrorist or criminal to fraudulently acquire a genuine U.S. passport. Specifically, GAO easily obtained four genuine passports from State using counterfeit documents. In April 2009, GAO suggested that State take 5 corrective actions based on these undercover tests and State acknowledged those corrective actions. GAO was asked to perform additional proactive testing of State's passport issuance process to determine if it continues to be vulnerable to fraud. To do this work, GAO applied for seven U.S. passports using counterfeit or fraudulently obtained documents, such as driver's licenses and birth certificates, to simulate scenarios based on identity theft. GAO created documents for seven fictitious or deceased individuals using off-the-shelf, commercially available hardware, software, and materials. Undercover investigators applied for passports at six U.S. Postal Service locations and one State-run passport office.
State's passport issuance process continues to be vulnerable to fraud, as the agency issued five of the seven passports GAO attempted to fraudulently obtain. While there were multiple indicators of fraud and identity theft in each application, State identified only two as fraudulent during its adjudication process and mailed five genuine U.S. passports to undercover GAO mailboxes. GAO successfully obtained three of these passports, but State had the remaining two recovered from the mail before they were delivered. According to State officials, the agency discovered--after its adjudication process--that the two passports were part of GAO testing when they were linked to one of the passport applications it initially denied. State officials told GAO that they used facial recognition technology--which they could have also used during the adjudication process--to identify the two remaining applications. GAO's tests show that State does not consistently use data verification and counterfeit detection techniques in its passport issuance process. Of the five passports it issued, State did not recognize discrepancies and suspicious indicators within each application. Some examples include: passport photos of the same investigator on multiple applications; a 62 year-old applicant using a Social Security number issued in 2009; passport and driver's license photos showing about a 10 year age difference; and the use of a California mailing address, a West Virginia permanent address and driver's license address, and a Washington, D.C. phone number in the same application. These were fraud indicators that should have been identified and questioned by State. State also failed to crosscheck the bogus citizenship and identity documents in the applications against the same databases that it later used to detect GAO's other fraudulent applications. State used facial recognition technology to identify the photos of GAO undercover investigators and to stop the subsequent delivery of two passports but not to detect fraud in the three applications that GAO received, which all contained a passport photo of the same investigator.